Arnaud Giersch discovered that the "add_filename_to_string()" function in file intl/gettext/loadmsgcat.c uses an untrusted relative path, allowing for a format string attack with a malicious .po file.

Impact

A local attacker could entice a user to run ELinks in a specially crafted directory environment containing a malicious ".po" file, possibly resulting in the execution of arbitrary code with the privileges of the user running ELinks.